Page MenuHomePhabricator
Differential D10136

Make the current session key a component of the CSRF token
ClosedPublic
Actions

Authored by epriestley on Aug 3 2014, 6:56 PM.
Tags
None
Referenced Files
F14057261: D10136.diff
Sun, Nov 17, 1:49 AM
F14054632: D10136.id24405.diff
Sat, Nov 16, 3:35 AM
F14054631: D10136.id24375.diff
Sat, Nov 16, 3:34 AM
F14035431: D10136.id24375.diff
Sun, Nov 10, 5:55 AM
F13990863: D10136.id24375.diff
Tue, Oct 22, 6:49 AM
F13983233: D10136.diff
Oct 20 2024, 5:00 AM
F13982921: D10136.id24375.diff
Oct 20 2024, 2:57 AM
F13978947: D10136.id.diff
Oct 19 2024, 1:46 AM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T5510: Bind CSRF tokens to a "session core" secret
Commits
Restricted Diffusion Commit
rP42cf7f6faa10: Make the current session key a component of the CSRF token
Summary

Fixes T5510. This purely reduces false positives from HackerOne: we currently rotate CSRF tokens, but do not bind them explicitly to specific sessions. Doing so has no real security benefit and may make some session rotation changes more difficult down the line, but researchers routinely report it. Just conform to expectations since the expected behavior isn't bad and this is less work for us than dealing with false positives.

Test Plan
  • With two browsers logged in under the same user, verified I was issued different CSRF tokens.
  • Verified the token from one browser did not work in the other browser's session.

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley updated this revision to Diff 24375.Aug 3 2014, 6:56 PM
epriestley retitled this revision from to Make the current session key a component of the CSRF token.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a task: T5510: Bind CSRF tokens to a "session core" secret.
Herald added a subscriber: epriestley. · View Herald TranscriptAug 3 2014, 6:56 PM
Harbormaster completed remote builds in B2020: Diff 24375.Aug 3 2014, 6:57 PM
btrahan accepted this revision.Aug 4 2014, 6:54 PM
btrahan edited edge metadata.
This revision is now accepted and ready to land.Aug 4 2014, 6:54 PM
epriestley closed this revision.Aug 4 2014, 7:04 PM
epriestley updated this revision to Diff 24405.

Closed by commit rP42cf7f6faa10 (authored by @epriestley).

Revision Contents
Changeset List

PathSize
src/
applications/
auth/
engine/
3 lines
people/
storage/
4 lines

Diff 24405

View Options

src/applications/auth/engine/PhabricatorAuthSessionEngine.php

Loading...
View Options

src/applications/people/storage/PhabricatorUser.php

Loading...
Phabricator · Built by Phacility